SPDX-FileCopyrightText: 2026 Outcrop Inc<br>SPDX-License-Identifier: MIT<br>Repository: blog<br>File GUID: 392a3758-8bcc-4d73-9c5a-a62b9e32d105<br>Created: 2026<br>-->
Keycloak with Claude, Codex & A Whole Lot of Coffee · Priya Vijai Kalyan
to prevent theme flash. -->
SPDX-FileCopyrightText: 2026 Outcrop Inc<br>SPDX-License-Identifier: MIT<br>Repository: blog<br>File GUID: 40ad3763-bf9c-4b4d-a7bf-57173d368800<br>Created: 2026<br>-->
The Problem
Hello. I've been working on a side project: a collection of tools I wished existed in a better form, and in some cases tools which don’t exist at all as far as I can tell. I initially started out building them to use only local storage (single page HTML app that could run in my browser and lived offline), but quickly realized that’s not a long term workable solution. As I built the backend, I adopted Auth0 for authentication; it was simple to get started with. I have some vague idea of making the hosted version public a few months down the line while open-sourcing it. As I used the tools I built, I realized that I was copying data back and forth with the AIs I use: Claude & Codex. The obvious next step was to expose these web apps I'd written to tools like Claude and Codex, so I could pull data out of them directly or have these tools co-work with me inside the apps. An MCP endpoint looked like the most useful path. So I started building one, and put Auth0 in front for authentication.
Turns out that if you want an MCP endpoint that agents can register against the way Claude Code, Codex, and the rest do, you need OAuth 2.1 plus DCR (dynamic client registration.) You also have to decide the scope bundles, host a consent page, deal with client registration, build a connected clients page, deal with consent in pre-authenticated and fresh authentication scenarios and more. And when I looked, OAuth 2.1 + DCR on Auth0 meant leaving the free tier for the Professional plan, around $250 a month, capped somewhere around 500 to 1000 monthly active users.
The $250 by itself wasn't the issue. The problem is how that kind of pricing scales for any SaaS. If you expect your user count to grow, you end up paying per user. Further, additional and more advanced features live further up the tiers. I didn't want to bake that into apps I might open source, and if I later wanted to host and sell them, it's real opex from day one.
Down the Rabbit Hole
So I went down a rabbit hole. I looked at Clerk and several other managed providers, not just Auth0. For what I needed, OAuth 2.1 + DCR with room to grow users, the economics came out broadly similar across the managed options: fine to start but a curve I didn't like as MAU scaled. The key blocker for me was paying the 250$ or so a month for low volume infrastructure to get more capabilities. So, I weighed the open-source options, and eventually settled on hosting Keycloak myself. I am currently using a single instance, always on Cloud Run instance (1 GiB, 1 vCPU) with a Supabase backend, Cloudflare doing DNS and proxy in front of the broker. That’s about 60$ for the infrastructure for now. At some point in the future, I plan to move all of the infrastructure onto a Hetzner host which would be cheaper & faster considering I might have a background worker, Redis, Keycloak and the app running on it + monitoring, proxying etc. ~100$ a month for everything. The cost/performance of that will be better because I don’t mind doing a small amount of operations.
Access
The Keycloak repo and the components and theme repo are linked here. If you want to do this, you should be able to clone it and adapt it. The app’s repo is separate and private at this time.
IdP: https://github.com/priyavijaikalyan2007/idp
Theme: https://github.com/priyavijaikalyan2007/b2btheme
Note that, I have templatized the above Keycloak repo with an example domain (yourapp.com). I had Codex run the contents and history through Trufflehog and Gitleaks and scrub any sensitive data or dangling references to my app. Clone it, adapt it, and you should be able to get this going without repeating everything I did or spending the same amount of time. Hope this is useful for you. Enjoy.
Using AI
I want to be upfront about how the work actually got done, because it's part of the story. I used three AI tools, each in a specific role:
Claude on the web did the research, the specs, the brainstorming, and the errata log, all the thinking and writing about what to build and why.
Claude Code did the implementation at every turn, the SPIs, the theming, building out each fix.
Codex ran the security review passes.
The AIs wrote basically everything. The specs, the design docs, the errata, the code, the review notes.
My job was the other part: reading the outputs, questioning them, wiring it all together, testing, deploying, configuring, thinking about the end to end experience and deciding when it was wrong.
Repository Setup
My setup has three repos.
The app repo
The Keycloak repo
The components & theme...